How MASS Embeds Functional Safety Guided by the ...

1 | © 2021 MIPI Alliance, Inc.

How MASS Embeds Functional Safety Guided by the Requirements of ISO 26262

Licinio SousaMember of MIPI Camera and Display Working Groups

Synopsys


Transition from Distributed ECUs to centralized Domain Compute Modules

New applications for ADAS, Infotainment, Connected Car & V2X

Growing number & types of Sensors: Imaging, Lidar, Radar, Infra-Red

System & SoC level Functional Safety and Reliably

Requires High Performance FinFETClass Automotive SoCs

Trends & New Applications

Sensor

Vision

Radar Lidar

ADASDomainController

ActuatorActuator

Actuator

ComfortDomainController

5G/LTE, WLAN, BT, GNSS

ConnectivityDomainController

InfotainmentDomainController

Gateway

PowertrainDomainController

Actuator

Actuator Actuator

SensorSensorSensorSensorSensor

SensorSensorSensorSensor

SensorSensorSensorSensor


MIPI in Automotive SPECIFICATIONS IN AUTOMOTIVE TODAY

Cameras, displays, audio, sensors, storage, RFFE for 5G, Wi-Fi, Bluetooth, NFC

Reuse & extend well-proven protocols == reduced NRE/cost

Intra-box usage has been limited due to lack of native long-reach PHY

CSI-2Camera Serial Interface protocolProtocol for cameras, lidar, radar sensors

DSI-2Display Serial Interface protocolProtocol for smartphone, IoT and automotive displays

C-PHY SerDes3-phase physical layer for CSI-2 & DSI-2Short-reach physical layer for cameras and displays

D-PHY SerDesDifferential physical layer for CSI-2 & DSI-2Short-reach physical layer for cameras and displays

I3CControl and data bus protocol and interfaceSensor and general-purpose data and control interface within a module

RFFERF control protocolFront-end control within a wireless module

UniPro for JEDEC UFSData transport protocol for UFS over M-PHYTransport protocol for UFS storage

M-PHY SerDes for JEDEC UFSDifferential physical layer for UFSstorageShort-reach physical transport for UFSstorage

A-PHY SerDesLong-reach (up to 15m) asymmetrical physical layer (released Sep 2020)

Most MIPI interfaces are implemented as "short reach" (~15 to ~30cm+)


MIPI Automotive SerDes Solutions (MASS) in the CarElectronic Control Unit (ECU)

• Advanced driver assistance system (ADAS) based on sensor feeds

• Produces display feeds

Sensors Examples• Camera• Lidar

Display Examples• Dashboard• Console• Side view mirrors• Entertainment

A-PHY (Bridges)• Translates between short-range

MIPI C-PHY / D-PHY & long-range MIPI A-PHY


ISO26262-5 Annex D – Communications BusAnnex D – Communication bus safety mechanisms:• One-bit hardware redundancy• Multi-bit hardware redundancy• Read back of sent message• Complete hardware redundancy

• Inspection using test patterns• Transmission redundancy• Information redundancy• Frame counter• Timeout monitoring• Combination of information redundancy, frame

counter and timeout monitoring


Functional Safety – Service Extensions (CSE/DSE)

• Flexible End-to-End Functional Safety and Security framework with SEP– Packet based: per SEP– Frame based: per Video Frame– Regions of Interest: per ROI– With compression enabled/disabled

• Example of FuSa Elements used– CRCs with Hamming distance > 3 - detecting communication failure (bad payload)

• SEP Header CRC + SEP Footer CRC• ROIs, Compression Slices / Columns etc.

– Message Sequence Counter – detecting packet loss / duplication– Timeout Monitoring – detecting potential loss of communication – Test pattern generators (solid colors, color bar, tiles etc.)– Faults injection – checking error detection mechanisms


MIPI CSI-2 Protocol with CSE


Developing Systems & SoCs Meeting Automotive Requirements

Meet quality levels required for automotive applications

Reduce risk & development time for AEC-Q100 qualification of SoCs

Accelerate ISO 26262 functional safety assessments to help ensure designers reach target ASIL levels

Reliability

Functional Safety

Quality

TemperatureLifetime

Failure rate

Reduce Risk and Accelerate Qualification

≠


Development Flows for ISO 26262 Functional Safety

Core Architecture

ISO 26262 Safety PlanCore Spec

Digital Spec

HW Safety Requirements

HW Safety Goals

FIT Rate Analysis

HW Safety Features

RTL Design

Design Implementation

FPGA

Safety Manual

FMEDA Report

Validation

Fault Injection / Coverage Analysis

IP/SoC Level Verification

Module Design Verification

Consumer Flow +Automotive

ASIC

Activities & Work Products for Automotive SoCs & IP


Automotive IP with FuSa FunctionalitySynopsys Adds Specific Safety Mechanisms Functionality to DesignWare Automotive IP

• User interface protection

• Buffer point protection• Error detection codes• Parity protection data• Parity protection on

configuration registers• Memory protection• Bad state

protection/prevention

More…RedundancyProtection• Duplicate key

modules• Triplicate key modules

• Register concatenation• Validity checking in key

modules• Dedicated interrupts for

error reporting• Processor Dual Core

Lockstep support• Processor user

programmable watchdog timer

Note: Specific IP implements different range of safety features

Automotive Safety Integrity Level (ASIL)

ASIL B/C

Driver Assist

ASIL D

Self Driving

RadarASIL

D

Front View

Camera

ASIL D

Smart Rear View

CameraASIL D

Braking (inadvertent)

ASIL D

Airbag (inadvertent)

ASIL D

Electric Power

SteeringASIL D

Evolving ASIL Requirements

Risk Avoidance Potential

A B C D

Front View

Camera

ASIL B

Smart Rear View

Camera ASIL B

Radar

ASIL C


Additional Safety Mechanisms to Meet ASIL B & Beyond

MIPI CSI-2S

Protocol

MIPID-PHYS

C-PHYSRX TXECC for closely

coupled SRAMs

Parity Protection delivered & checked at

user interface

Parity Protection on internal data paths

User Interface:ECC added at data path portsParity added for address ports

Register Space ProtectionPPI Interface

Image/Config I/F

Module Redundancy Protection for critical logic

MIPI CSI-2 • CSI-2 best-in-class example

• Safety Mechanisms to achieve ASIL B Random HW Fault metrics

• Each Safety Mechanism has an associated Reaction Time: Fault Handling Time Interval and Error Flag

Example of an Automotive-Grade MIPI CSI-2 IP


Safety Manager for SoC-Level Integration

MIPI DSI-2Controller

Interconnect

OTP(Device Identity)

Secure Boot FSMMIPI CSI-2Controller

MIPIPHY

MIPIPHY

LPDDRController

LPDDR PHY

Peripherals(I2C, I2S, UART, WDT, RTC,

Timers, SPI, QSPI)

Safety Network

Safety Manager Processor

FuSA SW Stack

Safety Bus

LBIST Server

Memory #1

Wrapper

ECC

Memory #N

Wrapper

ECC

Wrapper WrapperSecurity HSM

Crypto

TRNG

SHS

AI Processor/DSP Processor

Wrapper

Other IP

Application Processor(s)

(HS4xFS)


(HS4xFS)


(HS4xFS)

ASIL-BCompute

Processor(s)


(HS4xFS)


(HS4xFS)Application Processor(s)

(HS4xFS)ASIL-D

Compute Processor(s)

Wrapper

• Safety Manager monitors and manages all system failures and real-time faults; safe boot and mission-mode testing

Monitoring and Managing Functional Safety Capabilities


Need to Design for Reliability

• Environmental• Temperature• Noise• Vibration• Long term operation• Field rate (targeting 0%)

AEC-Q100 Qualification

Accelerated Lifetime

Simulation TestsElectrical Verification Tests

HTOL ELFR ESDHBM

ESD CDM

ICLatch Up

E D CHAR

Design

Testing

AUTO DRC/PDK

Design Rules

Mission Profile

AEC-Q100 Standard Sample sizeType of TestsTest timeConditions Report

SoC/IP Testchip

Grade Ambient Operating Temperature Range

0 -40⁰C to +150⁰C

1 -40⁰C to +125⁰C

2 -40⁰C to +105⁰C

3 -40⁰C to +85⁰C

Handling the Stringent Operating Conditions


Need for a Comprehensive Automotive-Grade MIPI IP

MIPI Automotive-Grade IP Package22nm - 16nm - 7nm - 5nm

Automotive SoC22nm - 16nm - 7nm - 5nm

CSI-2 / DSI / DSI-2 Controllers

C-PHY / D-PHY

SAFEFTY

• SAFETY MANUAL

• FMEDA• FuSa

CERTIFICATE• RANDOM• SYSTEMATIC• WORK

PRODUCTS

RELIABILITY

• MISSION PROFILE

• AUTO PDK/RULES

• GRADE 2/1• AEC-Q100

REPORT

QUALITY

• ISO 9001 QUALITY MANAGEMENT SYSTEM

• QUALITY MANUAL

Safety Reliability Quality


How MASS Embeds Functional Safety Guided by the ...

Documents